notes.html revision df3d1c56e488c98f2b10e8fcb35a07a797c66ed7
1c57c3f79db0bf0358bbe6d7b5ad650c0c852f4bTinderbox User - Permission to use, copy, modify, and/or distribute this software for any
1c57c3f79db0bf0358bbe6d7b5ad650c0c852f4bTinderbox User - purpose with or without fee is hereby granted, provided that the above
1c57c3f79db0bf0358bbe6d7b5ad650c0c852f4bTinderbox User - copyright notice and this permission notice appear in all copies.
1c57c3f79db0bf0358bbe6d7b5ad650c0c852f4bTinderbox User - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
1c57c3f79db0bf0358bbe6d7b5ad650c0c852f4bTinderbox User - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
1c57c3f79db0bf0358bbe6d7b5ad650c0c852f4bTinderbox User - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
1c57c3f79db0bf0358bbe6d7b5ad650c0c852f4bTinderbox User - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
1c57c3f79db0bf0358bbe6d7b5ad650c0c852f4bTinderbox User - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
1c57c3f79db0bf0358bbe6d7b5ad650c0c852f4bTinderbox User - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
1c57c3f79db0bf0358bbe6d7b5ad650c0c852f4bTinderbox User - PERFORMANCE OF THIS SOFTWARE.
1c57c3f79db0bf0358bbe6d7b5ad650c0c852f4bTinderbox User<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="article"><div class="section">
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<span style="color: red"><title>Release Notes for BIND Version 9.11.0pre-alpha</title></span><div class="section">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="titlepage"><div><div><h3 class="title">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt This document summarizes changes since the last production release
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt of BIND on the corresponding major release branch.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="titlepage"><div><div><h3 class="title">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<a name="relnotes_download"></a>Download</h3></div></div></div>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt The latest versions of BIND 9 software can always be found at
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt There you will find additional information about each release,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt source code, and pre-compiled versions for Microsoft Windows
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt operating systems.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="titlepage"><div><div><h3 class="title">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
df3d1c56e488c98f2b10e8fcb35a07a797c66ed7Tinderbox User Duplicate EDNS COOKIE options in a response could trigger
df3d1c56e488c98f2b10e8fcb35a07a797c66ed7Tinderbox User an assertion failure. This flaw is disclosed in CVE-2016-2088.
c42708dcc8ca18a41152251654d29f0cdd5b9533Tinderbox User Insufficient testing when parsing a message allowed
c42708dcc8ca18a41152251654d29f0cdd5b9533Tinderbox User records with an incorrect class to be be accepted,
c42708dcc8ca18a41152251654d29f0cdd5b9533Tinderbox User triggering a REQUIRE failure when those records
c42708dcc8ca18a41152251654d29f0cdd5b9533Tinderbox User were subsequently cached. This flaw is disclosed
dec590a3deb8e87380a8bd3a77d535dba3729bf6Tinderbox User in CVE-2015-8000. [RT #40987]
2ba8603ca962450068fe45f04c5caf8219b0d5f1Tinderbox User Incorrect reference counting could result in an INSIST
2ba8603ca962450068fe45f04c5caf8219b0d5f1Tinderbox User failure if a socket error occurred while performing a
2ba8603ca962450068fe45f04c5caf8219b0d5f1Tinderbox User lookup. This flaw is disclosed in CVE-2015-8461. [RT#40945]
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt An incorrect boundary check in the OPENPGPKEY rdatatype
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt could trigger an assertion failure. This flaw is disclosed
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt in CVE-2015-5986. [RT #40286]
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt A buffer accounting error could trigger an assertion failure
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt when parsing certain malformed DNSSEC keys.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt This flaw was discovered by Hanno B�ck of the Fuzzing
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Project, and is disclosed in CVE-2015-5722. [RT #40212]
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt A specially crafted query could trigger an assertion failure
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt This flaw was discovered by Jonathan Foote, and is disclosed
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt in CVE-2015-5477. [RT #40046]
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt On servers configured to perform DNSSEC validation, an
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt assertion failure could be triggered on answers from
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt a specially configured server.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt This flaw was discovered by Breno Silveira Soares, and is
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt disclosed in CVE-2015-4620. [RT #39795]
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt On servers configured to perform DNSSEC validation using
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt managed trust anchors (i.e., keys configured explicitly
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt via <span class="command"><strong>managed-keys</strong></span>, or implicitly
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt via <span class="command"><strong>dnssec-validation auto;</strong></span> or
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>dnssec-lookaside auto;</strong></span>), revoking
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt a trust anchor and sending a new untrusted replacement
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt could cause <span class="command"><strong>named</strong></span> to crash with an
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt assertion failure. This could occur in the event of a
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt botched key rollover, or potentially as a result of a
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt deliberate attack if the attacker was in position to
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt monitor the victim's DNS traffic.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt This flaw was discovered by Jan-Piet Mens, and is
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt disclosed in CVE-2015-1349. [RT #38344]
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt A flaw in delegation handling could be exploited to put
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>named</strong></span> into an infinite loop, in which
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt each lookup of a name server triggered additional lookups
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt of more name servers. This has been addressed by placing
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt limits on the number of levels of recursion
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>named</strong></span> will allow (default 7), and
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt on the number of queries that it will send before
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt terminating a recursive query (default 50).
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt The recursion depth limit is configured via the
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <code class="option">max-recursion-depth</code> option, and the query limit
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt via the <code class="option">max-recursion-queries</code> option.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt The flaw was discovered by Florian Maury of ANSSI, and is
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt disclosed in CVE-2014-8500. [RT #37580]
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Two separate problems were identified in BIND's GeoIP code that
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt could lead to an assertion failure. One was triggered by use of
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt both IPv4 and IPv6 address families, the other by referencing
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt a GeoIP database in <code class="filename">named.conf</code> which was
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt not installed. Both are covered by CVE-2014-8680. [RT #37672]
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt A less serious security flaw was also found in GeoIP: changes
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt to the <span class="command"><strong>geoip-directory</strong></span> option in
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <code class="filename">named.conf</code> were ignored when running
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>rndc reconfig</strong></span>. In theory, this could allow
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>named</strong></span> to allow access to unintended clients.
4206bb139c83dae2a8b59b7782031ccd40439aaaTinderbox User Specific APL data could trigger an INSIST. This flaw
7e5658b04f825bc8defa83d35864ef6a0cbb5262Tinderbox User is disclosed in CVE-2015-8704. [RT #41396]
4206bb139c83dae2a8b59b7782031ccd40439aaaTinderbox User Certain errors that could be encountered when printing out
4206bb139c83dae2a8b59b7782031ccd40439aaaTinderbox User or logging an OPT record containing a CLIENT-SUBNET option
4206bb139c83dae2a8b59b7782031ccd40439aaaTinderbox User could be mishandled, resulting in an assertion failure.
7e5658b04f825bc8defa83d35864ef6a0cbb5262Tinderbox User This flaw is disclosed in CVE-2015-8705. [RT #41397]
1609eab3caf63287d1caa0d3f8b4819a0c2becffTinderbox User Malformed control messages can trigger assertions in named
1609eab3caf63287d1caa0d3f8b4819a0c2becffTinderbox User and rndc. This flaw is disclosed in CVE-2016-1285. [RT
ba38c6b4bcc2c1cff3d281225c497f1d5884a2b2Tinderbox User The resolver could abort with an assertion failure due to
ba38c6b4bcc2c1cff3d281225c497f1d5884a2b2Tinderbox User improper DNAME handling when parsing fetch reply
ba38c6b4bcc2c1cff3d281225c497f1d5884a2b2Tinderbox User messages. This flaw is disclosed in CVE-2016-1286. [RT #41753]
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="titlepage"><div><div><h3 class="title">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<a name="relnotes_features"></a>New Features</h3></div></div></div>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Added support for DynDB, a new interface for loading zone data
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt from an external database, developed by Red Hat for the FreeIPA
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt project. (Thanks in particular to Adam Tkac and Petr
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Spacek of Red Hat for the contribution.)
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Unlike the existing DLZ and SDB interfaces, which provide a
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt limited subset of database functionality within BIND —
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt translating DNS queries into real-time database lookups with
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt relatively poor performance and with no ability to handle
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt DNSSEC-signed data — DynDB is able to fully implement
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt and extend the database API used natively by BIND.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt A DynDB module could pre-load data from an external data
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt source, then serve it with the same performance and
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt functionality as conventional BIND zones, and with the
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt ability to take advantage of database features not
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt available in BIND, such as multi-master replication.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt New quotas have been added to limit the queries that are
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt sent by recursive resolvers to authoritative servers
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt experiencing denial-of-service attacks. When configured,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt these options can both reduce the harm done to authoritative
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt servers and also avoid the resource exhaustion that can be
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt experienced by recursives when they are being used as a
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt vehicle for such an attack.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <code class="option">fetches-per-server</code> limits the number of
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt simultaneous queries that can be sent to any single
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt authoritative server. The configured value is a starting
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt point; it is automatically adjusted downward if the server is
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt partially or completely non-responsive. The algorithm used to
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt adjust the quota can be configured via the
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <code class="option">fetch-quota-params</code> option.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <code class="option">fetches-per-zone</code> limits the number of
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt simultaneous queries that can be sent for names within a
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt single domain. (Note: Unlike "fetches-per-server", this
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt value is not self-tuning.)
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Statistics counters have also been added to track the number
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt of queries affected by these quotas.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Added support for <span class="command"><strong>dnstap</strong></span>, a fast,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt flexible method for capturing and logging DNS traffic,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt developed by Robert Edmonds at Farsight Security, Inc.,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt whose assistance is gratefully acknowledged.
9d557856c2a19ec95ee73245f60a92f8675cf5baTinderbox User To enable <span class="command"><strong>dnstap</strong></span> at compile time,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt the <span class="command"><strong>fstrm</strong></span> and <span class="command"><strong>protobuf-c</strong></span>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt libraries must be available, and BIND must be configured with
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt A new utility <span class="command"><strong>dnstap-read</strong></span> has been added
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt to allow <span class="command"><strong>dnstap</strong></span> data to be presented in
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt a human-readable format.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt For more information on <span class="command"><strong>dnstap</strong></span>, see
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <a class="link" href="http://dnstap.info" target="_top">http://dnstap.info</a>.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt New statistics counters have been added to track traffic
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt sizes, as specified in RSSAC002. Query and response
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt message sizes are broken up into ranges of histogram buckets:
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt TCP and UDP queries of size 0-15, 16-31, ..., 272-288, and 288+,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt and TCP and UDP responses of size 0-15, 16-31, ..., 4080-4095,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt and 4096+. These values can be accessed via the XML and JSON
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt statistics channels at, for example,
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <a class="link" href="http://localhost:8888/xml/v3/traffic" target="_top">http://localhost:8888/xml/v3/traffic</a>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <a class="link" href="http://localhost:8888/json/v1/traffic" target="_top">http://localhost:8888/json/v1/traffic</a>.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt The serial number of a dynamically updatable zone can
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt now be set using
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>rndc signing -serial <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>zonename</code></em></strong></span>.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt This is particularly useful with <code class="option">inline-signing</code>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt zones that have been reset. Setting the serial number to a value
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt larger than that on the slaves will trigger an AXFR-style
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt When answering recursive queries, SERVFAIL responses can now be
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt cached by the server for a limited time; subsequent queries for
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt the same query name and type will return another SERVFAIL until
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt the cache times out. This reduces the frequency of retries
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt when a query is persistently failing, which can be a burden
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt on recursive serviers. The SERVFAIL cache timeout is controlled
e2b184f84e846bbcb764b6f0aef5dcd583d3d7a1Tinderbox User by <code class="option">servfail-ttl</code>, which defaults to 1 second
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt and has an upper limit of 30.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt The new <span class="command"><strong>rndc nta</strong></span> command can now be used to
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt set a "negative trust anchor" (NTA), disabling DNSSEC validation for
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt a specific domain; this can be used when responses from a domain
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt are known to be failing validation due to administrative error
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt rather than because of a spoofing attack. NTAs are strictly
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt temporary; by default they expire after one hour, but can be
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt configured to last up to one week. The default NTA lifetime
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt can be changed by setting the <code class="option">nta-lifetime</code> in
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <code class="filename">named.conf</code>. When added, NTAs are stored in a
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt file (<code class="filename"><em class="replaceable"><code>viewname</code></em>.nta</code>)
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt in order to persist across restarts of the <span class="command"><strong>named</strong></span> server.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt The EDNS Client Subnet (ECS) option is now supported for
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt authoritative servers; if a query contains an ECS option then
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt ACLs containing <code class="option">geoip</code> or <code class="option">ecs</code>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt elements can match against the the address encoded in the option.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt This can be used to select a view for a query, so that different
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt answers can be provided depending on the client network.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt The EDNS EXPIRE option has been implemented on the client
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt side, allowing a slave server to set the expiration timer
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt correctly when transferring zone data from another slave
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt A new <code class="option">masterfile-style</code> zone option controls
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt the formatting of text zone files: When set to
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <code class="literal">full</code>, the zone file will dumped in
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt single-line-per-record format.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>dig +ednsopt</strong></span> can now be used to set
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt arbitrary EDNS options in DNS requests.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>dig +ednsflags</strong></span> can now be used to set
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt yet-to-be-defined EDNS flags in DNS requests.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>dig +[no]ednsnegotiation</strong></span> can now be used enable /
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt disable EDNS version negotiation.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>dig +header-only</strong></span> can now be used to send
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt queries without a question section.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>dig +ttlunits</strong></span> causes <span class="command"><strong>dig</strong></span>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt to print TTL values with time-unit suffixes: w, d, h, m, s for
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt weeks, days, hours, minutes, and seconds.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>dig +zflag</strong></span> can be used to set the last
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt unassigned DNS header flag bit. This bit in normally zero.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>dig +dscp=<em class="replaceable"><code>value</code></em></strong></span>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt can now be used to set the DSCP code point in outgoing query
0226754d9e537fd56b690d5890cfe215a6c59f89Tinderbox User <span class="command"><strong>dig +mapped</strong></span> can now be used to determine
0226754d9e537fd56b690d5890cfe215a6c59f89Tinderbox User if mapped IPv4 addresses can be used.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <code class="option">serial-update-method</code> can now be set to
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <code class="literal">date</code>. On update, the serial number will
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt be set to the current date in YYYYMMDDNN format.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>dnssec-signzone -N date</strong></span> also sets the serial
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt number to YYYYMMDDNN.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>named -L <em class="replaceable"><code>filename</code></em></strong></span>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt causes <span class="command"><strong>named</strong></span> to send log messages to the specified file by
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt default instead of to the system log.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt The rate limiter configured by the
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <code class="option">serial-query-rate</code> option no longer covers
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt NOTIFY messages; those are now separately controlled by
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <code class="option">startup-notify-rate</code> (the latter of which
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt controls the rate of NOTIFY messages sent when the server
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt is first started up or reconfigured).
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt The default number of tasks and client objects available
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt for serving lightweight resolver queries have been increased,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt and are now configurable via the new <code class="option">lwres-tasks</code>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt and <code class="option">lwres-clients</code> options in
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <code class="filename">named.conf</code>. [RT #35857]
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Log output to files can now be buffered by specifying
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>buffered yes;</strong></span> when creating a channel.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>delv +tcp</strong></span> will exclusively use TCP when
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt sending queries.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>named</strong></span> will now check to see whether
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt other name server processes are running before starting up.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt This is implemented in two ways: 1) by refusing to start
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt if the configured network interfaces all return "address
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt in use", and 2) by attempting to acquire a lock on a file
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt specified by the <code class="option">lock-file</code> option or
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt the <span class="command"><strong>-X</strong></span> command line option. The
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt default lock file is
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <code class="filename">/var/run/named/named.lock</code>.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Specifying <code class="literal">none</code> will disable the lock
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>rndc delzone</strong></span> can now be applied to zones
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt which were configured in <code class="filename">named.conf</code>;
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt it is no longer restricted to zones which were added by
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>rndc addzone</strong></span>. (Note, however, that
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt this does not edit <code class="filename">named.conf</code>; the zone
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt must be removed from the configuration or it will return
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt when <span class="command"><strong>named</strong></span> is restarted or reloaded.)
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>rndc modzone</strong></span> can be used to reconfigure
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt a zone, using similar syntax to <span class="command"><strong>rndc addzone</strong></span>.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>rndc showzone</strong></span> displays the current
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt configuration for a specified zone.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Added server-side support for pipelined TCP queries. Clients
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt may continue sending queries via TCP while previous queries are
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt processed in parallel. Responses are sent when they are
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt ready, not necessarily in the order in which the queries were
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt To revert to the former behavior for a particular
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt client address or range of addresses, specify the address prefix
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt in the "keep-response-order" option. To revert to the former
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt behavior for all clients, use "keep-response-order { any; };".
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt The new <span class="command"><strong>mdig</strong></span> command is a version of
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>dig</strong></span> that sends multiple pipelined
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt queries and then waits for responses, instead of sending one
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt query and waiting the response before sending the next. [RT #38261]
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt To enable better monitoring and troubleshooting of RFC 5011
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt trust anchor management, the new <span class="command"><strong>rndc managed-keys</strong></span>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt can be used to check status of trust anchors or to force keys
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt to be refreshed. Also, the managed-keys data file now has
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt easier-to-read comments. [RT #38458]
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt An <span class="command"><strong>--enable-querytrace</strong></span> configure switch is
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt now available to enable very verbose query tracelogging. This
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt option can only be set at compile time. This option has a
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt negative performance impact and should be used only for
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt debugging. [RT #37520]
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt A new <span class="command"><strong>tcp-only</strong></span> option can be specified
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt in <span class="command"><strong>server</strong></span> statements to force
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>named</strong></span> to connect to the specified
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt server via TCP. [RT #37800]
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt The <span class="command"><strong>nxdomain-redirect</strong></span> option specifies
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt a DNS namespace to use for NXDOMAIN redirection. When a
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt recursive lookup returns NXDOMAIN, a second lookup is
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt initiated with the specified name appended to the query
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt name. This allows NXDOMAIN redirection data to be supplied
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt by multiple zones configured on the server or by recursive
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt queries to other servers. (The older method, using
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt a single <span class="command"><strong>type redirect</strong></span> zone, has
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt better average performance but is less flexible.) [RT #37989]
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt The following types have been implemented: CSYNC, NINFO, RKEY,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt SINK, TA, TALINK.
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User A new <span class="command"><strong>message-compression</strong></span> option can be
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User used to specify whether or not to use name compression when
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User answering queries. Setting this to <strong class="userinput"><code>no</code></strong>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User results in larger responses, but reduces CPU consumption and
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User may improve throughput. The default is <strong class="userinput"><code>yes</code></strong>.
d7a61cfbe56ebfa1682e949e48b4d08840234d8fTinderbox User A "read-only" clause is now available for non-destructive
d7a61cfbe56ebfa1682e949e48b4d08840234d8fTinderbox User control channel access. In such cases, a restricted set of
d7a61cfbe56ebfa1682e949e48b4d08840234d8fTinderbox User rndc commands are allowed for querying information from named.
d7a61cfbe56ebfa1682e949e48b4d08840234d8fTinderbox User By default, control channel access is read-write.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="titlepage"><div><div><h3 class="title">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
6758b59e57af88bdf466e63c0856043df44f8dd0Tinderbox User The timers returned by the statistics channel (indicating current
6758b59e57af88bdf466e63c0856043df44f8dd0Tinderbox User time, server boot time, and most recent reconfiguration time) are
6758b59e57af88bdf466e63c0856043df44f8dd0Tinderbox User now reported with millisecond accuracy. [RT #40082]
909a8e59a460dd24588b857976abddbbab9894caTinderbox User Updated the compiled in addresses for H.ROOT-SERVERS.NET.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt ACLs containing <span class="command"><strong>geoip asnum</strong></span> elements were
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt not correctly matched unless the full organization name was
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt specified in the ACL (as in
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>geoip asnum "AS1234 Example, Inc.";</strong></span>).
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt They can now match against the AS number alone (as in
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>geoip asnum "AS1234";</strong></span>).
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt When using native PKCS#11 cryptography (i.e.,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>configure --enable-native-pkcs11</strong></span>) HSM PINs
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt of up to 256 characters can now be used.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt NXDOMAIN responses to queries of type DS are now cached separately
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt from those for other types. This helps when using "grafted" zones
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt of type forward, for which the parent zone does not contain a
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt delegation, such as local top-level domains. Previously a query
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt of type DS for such a zone could cause the zone apex to be cached
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt as NXDOMAIN, blocking all subsequent queries. (Note: This
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt change is only helpful when DNSSEC validation is not enabled.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt "Grafted" zones without a delegation in the parent are not a
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt recommended configuration.)
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Update forwarding performance has been improved by allowing
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt a single TCP connection to be shared between multiple updates.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt By default, <span class="command"><strong>nsupdate</strong></span> will now check
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt the correctness of hostnames when adding records of type
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt A, AAAA, MX, SOA, NS, SRV or PTR. This behavior can be
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt disabled with <span class="command"><strong>check-names no</strong></span>.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Added support for OPENPGPKEY type.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt The names of the files used to store managed keys and added
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt zones for each view are no longer based on the SHA256 hash
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt of the view name, except when this is necessary because the
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt view name contains characters that would be incompatible with use
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt as a file name. For views whose names do not contain forward
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt slashes ('/'), backslashes ('\'), or capital letters - which
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt could potentially cause namespace collision problems on
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt case-insensitive filesystems - files will now be named
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt after the view (for example, <code class="filename">internal.mkeys</code>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt or <code class="filename">external.nzf</code>). However, to ensure
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt consistent behavior when upgrading, if a file using the old
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt name format is found to exist, it will continue to be used.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt "rndc" can now return text output of arbitrary size to
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt the caller. (Prior to this, certain commands such as
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt "rndc tsig-list" and "rndc zonestatus" could return
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt truncated output.)
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Errors reported when running <span class="command"><strong>rndc addzone</strong></span>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt (e.g., when a zone file cannot be loaded) have been clarified
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt to make it easier to diagnose problems.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt When encountering an authoritative name server whose name is
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt an alias pointing to another name, the resolver treats
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt this as an error and skips to the next server. Previously
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt this happened silently; now the error will be logged to
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt the newly-created "cname" log category.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt If <span class="command"><strong>named</strong></span> is not configured to validate the answer then
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt allow fallback to plain DNS on timeout even when we know
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt the server supports EDNS. This will allow the server to
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt potentially resolve signed queries when TCP is being
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Large inline-signing changes should be less disruptive.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Signature generation is now done incrementally; the number
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt of signatures to be generated in each quantum is controlled
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt by "sig-signing-signatures <em class="replaceable"><code>number</code></em>;".
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt The experimental SIT option (code point 65001) of BIND
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt 9.10.0 through BIND 9.10.2 has been replaced with the COOKIE
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt option (code point 10). It is no longer experimental, and
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt is sent by default, by both <span class="command"><strong>named</strong></span> and
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>dig</strong></span>.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt The SIT-related named.conf options have been marked as
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt obsolete, and are otherwise ignored.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt When <span class="command"><strong>dig</strong></span> receives a truncated (TC=1)
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt response or a BADCOOKIE response code from a server, it
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt will automatically retry the query using the server COOKIE
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt that was returned by the server in its initial response.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt A alternative NXDOMAIN redirect method (nxdomain-redirect)
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt which allows the redirect information to be looked up from
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt a namespace on the Internet rather than requiring a zone
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt to be configured on the server is now available.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Retrieving the local port range from net.ipv4.ip_local_port_range
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt on Linux is now supported.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Within the <code class="option">response-policy</code> option, it is now
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt possible to configure RPZ rewrite logging on a per-zone basis
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt The default preferred glue is now the address type of the
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt transport the query was received over.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt On machines with 2 or more processors (CPU), the default value
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt for the number of UDP listeners has been changed to the number
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt of detected processors minus one.
a179cbdf652095d00e7774320592f25eab0210d8Tinderbox User Zone transfers now use smaller message sizes to improve
a179cbdf652095d00e7774320592f25eab0210d8Tinderbox User message compression. This results in reduced network usage.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="titlepage"><div><div><h3 class="title">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<a name="relnotes_port"></a>Porting Changes</h3></div></div></div>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt The Microsoft Windows install tool
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>BINDInstall.exe</strong></span> which requires a
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt non-free version of Visual Studio to be built, now uses two
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt files (lists of flags and files) created by the Configure
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt perl script with all the needed information which were
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt previously compiled in the binary. Read
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <code class="filename">win32utils/build.txt</code> for more details.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="titlepage"><div><div><h3 class="title">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
1bb7846d29d9e3aeb2eff9fef6938efda0d6168dTinderbox User A flag could be set in the wrong field when setting up
1bb7846d29d9e3aeb2eff9fef6938efda0d6168dTinderbox User nonrecursive queries; this could cause the SERVFAIL cache to
1bb7846d29d9e3aeb2eff9fef6938efda0d6168dTinderbox User cache responses it shouldn't. New querytrace logging has been
1bb7846d29d9e3aeb2eff9fef6938efda0d6168dTinderbox User added which identified this error. [RT #41155]
742cb92338832aeaf4d5abb81b27c5e13541ca99Tinderbox User The server could crash due to a use-after-free if a
742cb92338832aeaf4d5abb81b27c5e13541ca99Tinderbox User zone transfer timed out. [RT #41297]
4206bb139c83dae2a8b59b7782031ccd40439aaaTinderbox User Authoritative servers that were marked as bogus (e.g. blackholed
4206bb139c83dae2a8b59b7782031ccd40439aaaTinderbox User in configuration or with invalid addresses) were being queried
4206bb139c83dae2a8b59b7782031ccd40439aaaTinderbox User anyway. [RT #41321]
428a763a70d288d5ad993a08abbbd923e2260be1Tinderbox User Some of the options for GeoIP ACLs, including "areacode",
428a763a70d288d5ad993a08abbbd923e2260be1Tinderbox User "metrocode", and "timezone", were incorrectly documented
428a763a70d288d5ad993a08abbbd923e2260be1Tinderbox User as "area", "metro" and "tz". Both the long and abbreviated
428a763a70d288d5ad993a08abbbd923e2260be1Tinderbox User versions are now accepted.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>dig</strong></span>, <span class="command"><strong>host</strong></span> and
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>nslookup</strong></span> aborted when encountering
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt a name which, after appending search list elements,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt exceeded 255 bytes. Such names are now skipped, but
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt processing of other names will continue. [RT #36892]
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt The error message generated when
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>named-checkzone</strong></span> or
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>named-checkconf -z</strong></span> encounters a
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <code class="option">$TTL</code> directive without a value has
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt been clarified. [RT #37138]
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Semicolon characters (;) included in TXT records were
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt incorrectly escaped with a backslash when the record was
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt displayed as text. This is actually only necessary when there
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt are no quotation marks. [RT #37159]
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt When files opened for writing by <span class="command"><strong>named</strong></span>,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt such as zone journal files, were referenced more than once
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt in <code class="filename">named.conf</code>, it could lead to file
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt corruption as multiple threads wrote to the same file. This
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt is now detected when loading <code class="filename">named.conf</code>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt and reported as an error. [RT #37172]
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt When checking for updates to trust anchors listed in
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <code class="option">managed-keys</code>, <span class="command"><strong>named</strong></span>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt now revalidates keys based on the current set of
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt active trust anchors, without relying on any cached
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt record of previous validation. [RT #37506]
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Large-system tuning
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt (<span class="command"><strong>configure --with-tuning=large</strong></span>) caused
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt problems on some platforms by setting a socket receive
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt buffer size that was too large. This is now detected and
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt corrected at run time. [RT #37187]
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt When NXDOMAIN redirection is in use, queries for a name
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt that is present in the redirection zone but a type that
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt is not present will now return NOERROR instead of NXDOMAIN.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Due to an inadvertent removal of code in the previous
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt release, when <span class="command"><strong>named</strong></span> encountered an
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt authoritative name server which dropped all EDNS queries,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt it did not always try plain DNS. This has been corrected.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt A regression caused nsupdate to use the default recursive servers
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt rather than the SOA MNAME server when sending the UPDATE.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Adjusted max-recursion-queries to accommodate the smaller
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt initial packet sizes used in BIND 9.10 and higher when
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt contacting authoritative servers for the first time.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Built-in "empty" zones did not correctly inherit the
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt "allow-transfer" ACL from the options or view. [RT #38310]
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Two leaks were fixed that could cause <span class="command"><strong>named</strong></span>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt processes to grow to very large sizes. [RT #38454]
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Fixed some bugs in RFC 5011 trust anchor management,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt including a memory leak and a possible loss of state
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt information. [RT #38458]
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Asynchronous zone loads were not handled correctly when the
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt zone load was already in progress; this could trigger a crash
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt in zt.c. [RT #37573]
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt A race during shutdown or reconfiguration could
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt cause an assertion failure in mem.c. [RT #38979]
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Some answer formatting options didn't work correctly with
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>dig +short</strong></span>. [RT #39291]
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Several bugs have been fixed in the RPZ implementation:
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Policy zones that did not specifically require recursion
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt could be treated as if they did; consequently, setting
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>qname-wait-recurse no;</strong></span> was
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt sometimes ineffective. This has been corrected.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt In most configurations, behavioral changes due to this
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt fix will not be noticeable. [RT #39229]
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt The server could crash if policy zones were updated (e.g.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt via <span class="command"><strong>rndc reload</strong></span> or an incoming zone
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt transfer) while RPZ processing was still ongoing for an
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt active query. [RT #39415]
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt On servers with one or more policy zones configured as
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt slaves, if a policy zone updated during regular operation
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt (rather than at startup) using a full zone reload, such as
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt via AXFR, a bug could allow the RPZ summary data to fall out
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt of sync, potentially leading to an assertion failure in
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt rpz.c when further incremental updates were made to the
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt zone, such as via IXFR. [RT #39567]
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt The server could match a shorter prefix than what was
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt available in CLIENT-IP policy triggers, and so, an
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt unexpected action could be taken. This has been
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt corrected. [RT #39481]
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt The server could crash if a reload of an RPZ zone was
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt initiated while another reload of the same zone was
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt already in progress. [RT #39649]
2b39e7bde959e3bfe1974187997998c518266f73Tinderbox User Negative trust anchors (NTAs) were incorrectly deleted
2b39e7bde959e3bfe1974187997998c518266f73Tinderbox User when the server was reloaded or reconfigured. [RT #41058]
2ba8603ca962450068fe45f04c5caf8219b0d5f1Tinderbox User Zones configured to use <span class="command"><strong>map</strong></span> format
2ba8603ca962450068fe45f04c5caf8219b0d5f1Tinderbox User master files can't be used as policy zones because RPZ
2ba8603ca962450068fe45f04c5caf8219b0d5f1Tinderbox User summary data isn't compiled when such zones are mapped into
2ba8603ca962450068fe45f04c5caf8219b0d5f1Tinderbox User memory. This limitation may be fixed in a future release,
2ba8603ca962450068fe45f04c5caf8219b0d5f1Tinderbox User but in the meantime it has been documented, and attempting
2ba8603ca962450068fe45f04c5caf8219b0d5f1Tinderbox User to use such zones in <span class="command"><strong>response-policy</strong></span>
2ba8603ca962450068fe45f04c5caf8219b0d5f1Tinderbox User statements is now a configuration error. [RT #38321]
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="titlepage"><div><div><h3 class="title">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<a name="end_of_life"></a>End of Life</h3></div></div></div>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt The end of life for BIND 9.11 is yet to be determined but
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt will not be before BIND 9.13.0 has been released for 6 months.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="titlepage"><div><div><h3 class="title">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<a name="relnotes_thanks"></a>Thank You</h3></div></div></div>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Thank you to everyone who assisted us in making this release possible.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt If you would like to contribute to ISC to assist us in continuing to
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt make quality open source software, please visit our donations page at
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <a class="link" href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>.